CVE-2023-41266
CVE-2023-41266 is a high-severity vulnerability in Qlik Qlik Sense with a CVSS 3.x base score of 8.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-12-07). The underlying weakness is classified as CWE-22.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 85% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-12-07)
- EU (EUVD) id: EUVD-2023-45783
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-12-07)
- Weakness: CWE-22
- Affected product: Qlik Qlik Sense
- Published:
- Last modified:
Description
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
CVE-2023-41266: Path Traversal in Qlik Sense Enterprise for Windows Enables Unauthenticated Session Generation and Unauthorized Endpoint Access
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2023-41266 |
| Vendor | Qlik |
| Product | Qlik Sense Enterprise for Windows |
| CVSS v3 | 8.2 (HIGH) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| CWE | CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") |
| EPSS | 0.84966 (99.68th percentile) |
| KEV | Yes — added 2023-12-07 |
| EU Exploited | Yes — since 2023-12-07 |
Summary
A path traversal vulnerability in Qlik Sense Enterprise for Windows allows an unauthenticated remote attacker to generate an anonymous session and transmit HTTP requests to unauthorized endpoints. This flaw has been actively exploited in the wild and carries a CVSS v3 score of 8.2, reflecting high confidentiality impact and low integrity impact.
Background
Qlik Sense Enterprise for Windows is a widely deployed analytics and business intelligence platform used by organizations to create, share, and consume data visualizations. The product exposes multiple HTTP endpoints for authentication, session management, and API interactions. Under normal operation, unauthenticated users should be restricted to a limited set of public-facing endpoints. The vulnerability described in this advisory allows attackers to bypass these restrictions by exploiting insufficient path traversal controls within the application's request handling logic.
Root Cause
The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal").
The root cause lies in the application's failure to properly sanitize or normalize user-controllable input that is used to construct file system paths or route internal requests. By injecting traversal sequences (e.g., ..%2F), an attacker can navigate outside the intended directory or endpoint boundary. In this specific case, the traversal enables the attacker to reach an endpoint or resource that generates an anonymous session token, effectively granting the attacker an authenticated context without providing valid credentials. This session can then be used to access additional internal endpoints that would otherwise be protected.
Impact
The CVSS v3 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N quantifies the impact as follows:
- Attack Vector (AV): Network — exploitable remotely over the internet without any local network access.
- Attack Complexity (AC): Low — no special conditions or bypasses are required.
- Privileges Required (PR): None — fully unauthenticated.
- User Interaction (UI): None — no user action is needed.
- Scope (S): Unchanged — the vulnerable component is the only one affected.
- Confidentiality (C): High — unauthorized access to sensitive data and internal endpoints is possible.
- Integrity (I): Low — limited ability to modify data within the affected component.
- Availability (A): None — no direct impact on system availability is expected.
The practical impact is severe: an unauthenticated attacker can gain unauthorized access to internal API endpoints, retrieve sensitive configuration or data, and potentially perform limited unauthorized actions within the Qlik Sense environment. The absence of an availability impact does not diminish the severity of unauthorized data access.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: This section describes the attack flow at a high level for defensive and detection purposes only. No weaponized exploit code or step-by-step attack instructions are provided.
- Reconnaissance: The attacker identifies a publicly accessible Qlik Sense Enterprise for Windows instance, typically via internet-wide scanning or known organizational deployments.
- Path Traversal Injection: The attacker sends a crafted HTTP request containing directory traversal sequences in a path or query parameter that the application uses to resolve internal resources or endpoints.
- Anonymous Session Generation: The traversal bypasses the intended access boundary and reaches a session-generation endpoint. The application responds with an anonymous session token or cookie, effectively authenticating the attacker as a low-privilege user.
- Unauthorized Endpoint Access: Using the generated session, the attacker issues subsequent HTTP requests to internal endpoints that should require authentication. This may include data retrieval, configuration exposure, or other restricted functionality.
Defenders should focus on detecting anomalous path patterns (e.g., sequences containing ..%2F, %2e%2e%2f, or similar encoded variants) in HTTP requests to Qlik Sense endpoints, especially when followed by successful session establishment and subsequent requests to internal APIs.
Affected and Patched Versions
Affected versions (Qlik Sense Enterprise for Windows):
- May 2023 Patch 3 and earlier
- February 2023 Patch 7 and earlier
- November 2022 Patch 10 and earlier
- August 2022 Patch 12 and earlier
Patched versions:
- August 2023 IR
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 11
- August 2022 Patch 13
Organizations running any of the affected versions should treat this as a critical patching priority given the active exploitation status.
Remediation
Primary remediation:
Upgrade to the latest patched version as listed above. Qlik has released patches for all supported track lines. Ensure the patch level matches or exceeds the fixed versions before exposing the instance to untrusted networks.
Compensating controls (if immediate patching is not possible):
- Network segmentation: Restrict access to Qlik Sense Enterprise instances to authorized internal networks or VPN-only access. Do not expose the application directly to the internet unless absolutely necessary.
- Web Application Firewall (WAF): Deploy a WAF rule set that blocks path traversal sequences in HTTP request paths and query parameters. Ensure the rules cover both raw (
..%2F) and encoded variants (%2e%2e%2f,%252e%252e%252f, etc.). - Reverse proxy with URL filtering: Place a hardened reverse proxy in front of the Qlik Sense instance and explicitly deny requests containing traversal patterns.
- Session monitoring: Alert on the creation of anonymous sessions from unexpected source IPs or geolocations.
- Incident response readiness: Given active exploitation, verify that your incident response team has the capability to investigate unauthorized access to Qlik Sense environments and to identify potential data exfiltration.
Detection
- Proxy/WAF logs: Search for HTTP requests containing
..%2F,%2e%2e%2f, or similar traversal sequences targeting Qlik Sense endpoints, followed by HTTP 200 responses containing session cookies or tokens. - Authentication logs: Monitor for anonymous session creation events that are immediately followed by requests to internal endpoints typically requiring authentication.
- Endpoint telemetry: On the Qlik Sense server, monitor for unusual file system access patterns or process activity initiated by the web application service account.
- Network traffic analysis: Look for outbound data transfers from the Qlik Sense server to unexpected destinations after anomalous inbound HTTP requests.
Assessment
CVE-2023-41266 is a high-severity, actively exploited path traversal vulnerability with an EPSS score of 0.84966 (99.68th percentile), indicating a very high probability of exploitation in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog on 2023-12-07 and the EU Exploited Vulnerabilities Database confirms that threat actors are leveraging this flaw in real-world attacks.
Key lessons:
- Path traversal remains a critical class: Even modern enterprise applications can fall to classic directory traversal when input validation and path normalization are insufficient. Security reviews should always include path-handling logic.
- Unauthenticated access to session endpoints is a high-risk design: Any endpoint capable of generating an authenticated session without proper credentials is an attractive target. Such endpoints must be hardened with additional validation and rate limiting.
Organizations should prioritize patching and assume that unpatched internet-facing instances may already be compromised.
References
Frequently asked questions
- What is CVE-2023-41266?
- A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
- How severe is CVE-2023-41266?
- CVE-2023-41266 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2023-41266 being actively exploited?
- Yes. CVE-2023-41266 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-12-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-41266?
- CVE-2023-41266 primarily affects Qlik Qlik Sense. In total, 36 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-41266?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-41266 have an EU (EUVD) identifier?
- Yes. CVE-2023-41266 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-45783. It is also flagged as exploited in the EUVD (since 2023-12-07).
- When was CVE-2023-41266 published?
- CVE-2023-41266 was published on 2023-08-29 and last updated on 2026-06-17.
References
- https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
- https://community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41266
Affected products (36)
- cpe:2.3:a:qlik:qlik_sense:august_2022:-:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_1:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_10:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_11:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_12:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_2:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_3:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_4:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_5:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_6:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_7:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_8:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:august_2022:patch_9:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:-:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_1:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_2:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_3:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_4:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_5:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_6:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:february_2023:patch_7:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:may_2023:-:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:may_2023:patch_1:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:may_2023:patch_2:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:may_2023:patch3:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:-:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_1:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_10:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_2:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_3:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_4:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_5:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_6:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_7:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_8:*:*:enterprise:windows:*:*
- cpe:2.3:a:qlik:qlik_sense:november_2022:patch_9:*:*:enterprise:windows:*:*
More vulnerabilities in Qlik Qlik Sense
- CVE-2023-48365 — Critical (CVSS 9.6): Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka…
- CVE-2023-41265 — Critical (CVSS 9.6): An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and…
- CVE-2019-11628 — High (CVSS 8.2): An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and…
- CVE-2025-61138 — High (CVSS 7.5): Qlik Sense Enterprise v14.212.13 was discovered to contain an information leak via the /dev-hub/ directory.
- CVE-2021-36761 — Medium (CVSS 5.3): The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.
- CVE-2022-0564 — Medium (CVSS 5.3): A vulnerability in Qlik Sense Enterprise on Windows could allow an remote attacker to enumerate domain user accounts.…
All CVEs affecting Qlik Qlik Sense →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…